Advisories.

Every advisory below is signed against the ceremony root, including advisories for AI model bundles and evidence-policy packs. Critical and high-severity advisories are also signed PGP in-line for email distribution. The advisory feed is part of the customer console — you do not have to read this page to learn about advisories affecting your deployment, AI models, or evidence workflows. We publish here so that everyone else can read what your auditor will read.

$categories

critical immediate operational response required, dual-control rotation may be triggered. high action required within 7 days; defined remediation procedure attached. medium action recommended; informational where deployment is unaffected. info no action; posture changes, roadmap, new capability, field study results. deprecated capability retiring; migration window stated.

$2026

2026.

info 3DC-2026-05-A1 — CRYSTALS-Dilithium migration plan: 2026-05-12 · affects all modules · mitigation: phased
Roadmap to hybrid Ed25519 + Dilithium-3 signing across the ceremony root, build keys, and printer-side HSMs. Phase-0 shadow signatures are already running on the production fleet; phase-1 hybrid co-signing scheduled 2026 Q4. No customer action required for phase-0; phase-1 requires a routine firmware update per RB-25.
info 3DC-2026-04-A2 — MeshGuard field measurement programme results: 2026-04-28 · affects MeshGuard · mitigation: none
Eighteen-month field study results: watermark survival rate across 41 sites, 11 material classes, 7 slicer builds. Headline FPR and detection latency hold against the original specification. Four investigated failure cases attached to the report.
medium 3DC-2026-04-N1 — Materialise Magics slicer attestation in progress: 2026-04-15 · affects Vault3D · mitigation: degraded mode
Materialise Magics is moving to attested-slicer profile, scoped 2026 Q3. Customers using Magics will operate in degraded attestation mode during the transition window; the TwinCert record records this honestly. Customers requiring fully-attested slicers should plan to use Prusa, Cura, Orca, or Bambu Studio in the meantime.
info 3DC-2026-03-A1 — TwinCert profile for NIS2 / EU CRA: 2026-03-14 · affects TwinCert · mitigation: none
The TwinCert JSON-LD profile for NIS2 and EU CRA, with explicit article-level mappings. Adopted by two notified bodies as part of their conformity assessment intake. Customers in scope of NIS2 should align their TwinCert profile to the published one.
medium 3DC-2026-02-N1 — manifest schema v3 published: 2026-02-20 · affects manifest · mitigation: forward-compatible
Manifest schema v3 is published. v2 manifests continue to be accepted by the verifier-CLI under a 12-month deprecation window. Migration is automatic on the next routine firmware update.
deprecated 3DC-2026-01-D1 — bundle schema v1 retirement: 2026-01-09 · affects Vault3D · mitigation: hard retirement
Bundle schema v1 (introduced 2024) is hard-retired in 2026 Q4. v2 bundles have been the default since 2025; production fleets are already on v2 or v3. Hard retirement means the verifier-CLI 2026.10+ will refuse to verify v1 bundles. Audit packages of historical parts produced under v1 should be re-signed with v3 bundles before the cut-off.

$2025

2025.

info 3DC-2025-11-A1 — Vault3D firmware update path (RB-25): 2025-11-04 · affects Vault3D · mitigation: built-in
The dual-control firmware update procedure (RB-25) is live across the production fleet. No customer action; this advisory is the public record of the procedure's promotion to general availability.
high 3DC-2025-09-A1 — transient HSM unresponsiveness, vendor X cohort: 2025-09-22 · affects Vault3D · mitigation: firmware patch + retry policy
A subset of HSMs (vendor X, firmware versions 4.11–4.13) exhibited transient unresponsiveness under sustained signing load. Patched in HSM firmware 4.14; daemon retry policy hardened in 3dc daemon 2025.10.r4. Affected customers contacted directly during the window.
medium 3DC-2025-08-A1 — pentest H1 2025 findings published: 2025-08-11 · affects all modules · mitigation: per-finding
Eleven findings from the H1 2025 external pentest. Two high (remediated within 72h), four medium (remediated within window), five low (tracked). Anonymised report available in signed customer packages.
info 3DC-2025-06-A1 — first production deployment with full TwinCert audit cycle: 2025-06-30 · affects TwinCert · mitigation: none
First customer completed a full audit cycle using TwinCert as the evidence layer; auditor accepted the audit package without manual collation. The customer and auditor are named under the customer's disclosure on request.
deprecated 3DC-2025-04-D1 — bundle schema v1 deprecation announced: 2025-04-18 · affects Vault3D · mitigation: forward-migrate
Schema v1 is deprecated; the 18-month migration window opens. See 3DC-2026-01-D1 for the hard retirement.
info 3DC-2025-02-A1 — verifier-CLI source publication: 2025-02-05 · affects verifier-CLI · mitigation: none
The verifier-CLI source is published under a permissive license. Customers can build and verify the binary themselves; the published SHA-256 in the manifest is reproducible from the published source.

$2024

2024.

info 3DC-2024-12-A1 — observer report from ceremony root creation: 2024-12-09 · affects ceremony · mitigation: none
Independent observer report from the September 2024 ceremony root creation. Observer: Dr. M. Karras (formerly NCSC). Full observer report available in signed customer packages.
info 3DC-2024-09-A1 — ceremony root creation: 2024-09-14 · affects ceremony · mitigation: none
Ceremony root key was created in September 2024 with a 5-of-9 custodian quorum across three jurisdictions. Public key, fingerprint, and witnessed ceremony record on manifest.
info 3DC-2024-07-A1 — first MeshGuard field deployment: 2024-07-22 · affects MeshGuard · mitigation: none
MeshGuard moved from pilot to first production deployment in the spare-parts logistics sector. Field measurement programme commenced; results published in 3DC-2026-04-A2.
info 3DC-2024-04-A1 — company founded; first internal commit: 2024-04-02 · affects 3DCIPHER · mitigation: none
CIPHERSPHERE TECHNOLOGIES LTD incorporated; first internal commit to the Vault3D code base. This advisory exists for completeness.

$subscribe

How to receive advisories.

Three published channels, in order of cadence:

Customer console feed. Customers see advisories affecting their deployment in the console inbox. Real-time, signed.
Signed PGP mailing list. All advisories, signed in-line. Subscribe by sending a PGP-signed email to advisories@3dcipher.com; the subscribe handshake is automated and audited.
RSS / Atom. Available at /advisories.atom; unsigned, intended for triage tooling only. Do not trust the RSS feed alone; verify against the signed feed before acting.

How to disclose.

If you have a finding to report, please use security@3dcipher.com. PGP fingerprint 0741 9C12 BBEA 4E62 1330 7C5D AE08 5F19 88B0 2E44. We acknowledge within 4 hours during UK working time and within one working day otherwise.

Coordinated disclosure: we follow a standard 90-day disclosure window unless a customer-impact threshold requires shorter. Researchers credited by name unless requested otherwise.